System for automatic classification and protection unified to both cloud and on-premise environments

ABSTRACT

Methods, systems, and computer program products are described herein for the classification, tagging, and protection of data objects. Such techniques may be imposed on the data objects automatically regardless of whether the data objects are created/generated/interacted/downloaded/uploaded/accessed on the cloud-based environments and/or on-premises environments. The foregoing techniques are orchestrated from a centralized policy that is treated uniformly regardless of the data objects&#39; environment. Once a data object is identified, it is classified based on multiple criteria and a tag is associated therewith. An enforcement action may be applied to the data objects based on a defined policy. The tag attached to the data object may be used to search for related audit logs that track accesses to the data object. By associating the tag and protection persistently, data object(s) are treated uniformly (i.e., in the same manner) regardless of what environment it is in.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.15/942,235, filed on Mar. 30, 2018, which claims priority to U.S.Provisional Application Ser. No. 62/638,616, filed Mar. 5, 2018, theentireties of which are incorporated by reference herein.

BACKGROUND

Information protection solutions are often used separately foron-premises (also known as “on-prem”) and cloud environments. The mainreason is that there is no current discipline that can address the twoenvironments in a holistic way. This causes security professionals tomanage policies to secure data in multiple dashboards. In addition, theenforcement disciplines for on-premise and cloud workloads aredifferent, and therefore, a uniform and reliable policy for bothworkload types is difficult to implement and maintain. As an example, afile that is identified as confidential on a personal computer (PC) byan on-premise data loss protection (DLP) system may not be identifiedthe same way by a cloud-based DLP system because the systems usedifferent sets of rules. In another example, the cloud-based DLP systemand the on-premises DLP system may use different classification enginesthat do not implement the same identification techniques, resulting indifferent classifications (e.g., level sensitivity) of a same dataobject.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

Methods, systems, and computer program products are described herein forthe classification and protection of data objects. Such techniques maybe imposed on the data objects automatically regardless of whether thedata objects are created/generated in, interacted with in, downloadedby, uploaded by, and/or accessed by a cloud-based environment or anon-premise environment. Such techniques are orchestrated according to acentralized policy that enables uniform treatment of the data objectsregardless of the data objects' environment. Once a data object isidentified, it is classified based on multiple criteria (e.g., content,metadata, and context), and a tag classifying the data object isassociated thereto. An enforcement action may be applied to the dataobject based on a defined policy corresponding to the tag. The tagattached to the data object may be used to search for audit logs thattrack accesses to the data object. By associating the tag persistently,with which consistent protections can be applied, data objects aretreated uniformly (i.e., in the same manner) regardless of theirenvironment.

Further features and advantages of the invention, as well as thestructure and operation of various embodiments of the invention, aredescribed in detail below with reference to the accompanying drawings.It is noted that the invention is not limited to the specificembodiments described herein. Such embodiments are presented herein forillustrative purposes only. Additional embodiments will be apparent topersons skilled in the relevant art(s) based on the teachings containedherein.

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

The accompanying drawings, which are incorporated herein and form a partof the specification, illustrate embodiments of the present applicationand, together with the description, further serve to explain theprinciples of the embodiments and to enable a person skilled in thepertinent art to make and use the embodiments.

FIG. 1 shows a block diagram of an example system for classifying andprotecting a data object, according to an example embodiment.

FIG. 2 is a block diagram of a system configured to tag a data object,determine a policy for the data object, and perform an action withrespect to the data object in accordance with the policy, according toan example embodiment.

FIG. 3 depicts a flowchart for a method in a data object managerexecuting on a computing device for tagging a data object, retrieving apolicy for the tagged data object, and performing an action with respectto the data object in accordance with the retrieved policy, according toan example embodiment.

FIG. 4 is a block diagram of a computing device coupled to a serverconfigured with a management service to manage policies for handlingdata objects by a computing device, according to an example embodiment.

FIG. 5 depicts a flowchart for a method implemented by a managementservice of a server that is configured provide policies to a pluralityof computing devices, according to an example embodiment.

FIG. 6 is a block diagram of a computing device coupled to a serverconfigured with a management service to manage policies applied to dataobjects by a plurality of computing devices, according to an exampleembodiment.

FIG. 7 is a block diagram of an exemplary user device in whichembodiments may be implemented.

FIG. 8 is a block diagram of an example computing device that may beused to implement embodiments.

The features and advantages of the present invention will become moreapparent from the detailed description set forth below when taken inconjunction with the drawings, in which like reference charactersidentify corresponding elements throughout. In the drawings, likereference numbers generally indicate identical, functionally similar,and/or structurally similar elements. The drawing in which an elementfirst appears is indicated by the leftmost digit(s) in the correspondingreference number.

DETAILED DESCRIPTION I. Introduction

The present specification and accompanying drawings disclose one or moreembodiments that incorporate the features of the present invention. Thescope of the present invention is not limited to the disclosedembodiments. The disclosed embodiments merely exemplify the presentinvention, and modified versions of the disclosed embodiments are alsoencompassed by the present invention. Embodiments of the presentinvention are defined by the claims appended hereto.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to effect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

Numerous exemplary embodiments are described as follows. It is notedthat any section/subsection headings provided herein are not intended tobe limiting. Embodiments are described throughout this document, and anytype of embodiment may be included under any section/subsection.Furthermore, embodiments disclosed in any section/subsection may becombined with any other embodiments described in the samesection/subsection and/or a different section/subsection in any manner.

II. Example Embodiments for Classification and Protection for DataObjects

Techniques are described herein for the classification and protection ofdata objects. Data objects may each be classified based on a set ofconditions, which are evaluated by a data object manager of a computingdevice in which the data objects are stored. The data object manager maymaintain one or more tags representative of classifications andassociate the tags with the data objects based on how each data objectshould be handled. The tags persist with the data objects as the dataobjects are transferred and/or copied from one computing device toanother computing device regardless of the computing environment inwhich the computing devices are located. To protect the data objectsand/or the distribution thereof, one or more policies that specify anenforcement action to be taken with respect to the data objects areretrieved and utilized by the data object manager. Each of the policiesare associated with tags and are retrievable using the tags. The set ofconditions and policies are centrally maintained by a server, which isaccessible to a plurality of different computing devices comprisingrespective data object managers. By maintaining the conditions andpolicies in a central location that is accessible to a plurality ofdifferent computing devices that each include a data object manager.Each data object manager is enabled to retrieve the same set ofconditions and the policies (using the tags persistently associated withthe data objects), thus allowing each computing device to classify dataobjects in the same manner and enforce the same policies with respect tothe same data object regardless of the computing environment in whichthe particular computing device is located. This advantageously enablesthe data objects to be uniformly acted upon (e.g., protected) by alldata object managers, thereby ensuring that data, for example, is notunintentionally made available to an undesired party.

For instance, FIG. 1 shows a block diagram of an example system 100 forclassifying and protecting data objects, according to an exampleembodiment. As shown in FIG. 1, system 100 includes a server 106, acomputing device 102, and a computing device 104. Each of server 106,computing device 102, and computing device 104 may be communicativelyconnected to each other via network 108. Network 108 may comprise one ormore networks such as local area networks (LANs), wide area networks(WANs), enterprise networks, the Internet, etc., and may include one ormore of wired and/or wireless portions. Although a single computingdevice 102 is shown in FIG. 1, any number of computing devices 102 maybe present, including tens, hundreds, thousands, millions, etc. System100 of FIG. 1 and subsequent systems shown in the figures are generallydescribed as follows with respect a single instance of computing device102 for purposes of illustration and brevity, although the descriptionapplies to any number of computing device 102 in system 100 and otherdisclosed systems.

Server 106 is configured to execute and/or provide a management service114. Management service 114 is configured to enable a user (e.g., anadministrator) to specify and/or store a set of conditions which areused to classify a data object and/or specify and/or store one or morepolicies that specify one or more actions (e.g., enforcement actions) tobe taken with respect to the data object. For example, managementservice 114 may enable a user to select and/or configure conditionsand/or policies using a graphical user interface (GUI) (also referred toas a management console or dashboard). By interacting with managementservice 114, the user may generate tags, and associate the tags with theset of conditions and/or policies. Each tag may be defined to have oneor more corresponding conditions for being applied to a data object.Each policy may be associated with a corresponding tag, to be performedwith respect to a data object tagged with that tag. The tags may be usedby other devices (e.g., computing device 102) to search for and/orretrieve the associated policies. The set of conditions, the tags,and/or policies are applicable regardless of a computing environment inwhich a data object is located, because all computing environments havethe same tags for application, and download the same policies associatedwith those tags. Thus, a single management console or dashboard may beutilized to create and/or configure the set of conditions and/orpolicies for data objects that can reside in a plurality of differentcomputing environments. Examples of computing environments include, butare not limited to, an environment that is on-premises of a user orcompany or a cloud platform/architecture (i.e., cloud-based environment)that is maintained by a third party or the user or company.

As described herein, embodiments are applicable to any type of systemfor system 100 where client devices (e.g., computing device 102 and/orcomputing device 104) communicate with data servers (e.g., server 106)over a network (e.g., network 108). In accordance with an embodiment,server 106 is included in a cloud platform/architecture. A cloudplatform includes a networked set of computing resources, includingservers (e.g., server 106), routers, etc., that are configurable,shareable, provide data security, and are accessible over a network(e.g., network 108) such as the Internet. Cloud applications run on theresources, often atop operating systems that run on the resources, forentities that access the applications over the network. A cloud platformmay support multi-tenancy, where cloud platform-based software servicesmultiple tenants, with each tenant including one or more users who sharecommon access to software services of the cloud platform. Furthermore, acloud platform may support hypervisors implemented as hardware,software, and/or firmware that run virtual machines (emulated computersystems, including operating systems) for tenants. A hypervisor presentsa virtual operating platform for tenants.

A user (e.g., an administrator) may be enabled to specify the set ofconditions and/or policies by logging into a management console ordashboard provided by management service 114. A user may access themanagement console via computing device 104. As shown in FIG. 1,computing device 104 includes a display screen 118 and a browser 120. Auser may access the management console by interacting with anapplication at computing device 104 capable of accessing the managementconsole. For example, the user may use browser 120 to traverse a networkaddress (e.g., a uniform resource locator) to server 106, which invokesa user interface 122 (e.g., a web page) in a browser window rendered oncomputing device 104. By interacting with user interface 122, the usermay utilize the management console to specify the set of conditionsand/or policies and/or associate tags with the policies. Computingdevice 104 may be any type of stationary or mobile computing device,including a mobile computer or mobile computing device (e.g., aMicrosoft® Surface® device, a laptop computer, a notebook computer, atablet computer such as an Apple iPad™, a netbook, a smart phone etc.),a wearable computing device (e.g., a head-mounted device including smartglasses such as Google® Glass™, etc.), or a stationary computing devicesuch as a desktop computer or PC (personal computer).

Each instance of computing device 102 in system 100 may be considered aclient device, though this is not required. Each computing device 102may comprise one or more applications 110 (e.g., a software application)and a data object manager 112. Application(s) 110 may be any type ofsoftware applications or service, such as database applications, socialnetworking applications, messaging applications, financial servicesapplications, news applications, search applications, productivityapplications, file hosting applications, etc. Examples of suchapplications include a SQL (structured query language) database,Salesforce.com™, Facebook®, Twitter®, Instagram®, Yammer®, LinkedIn®,Yahoo!® Finance, The New York Times® (at www.nytimes.com), Googlesearch, Microsoft® Bing, Google Docs™, Microsoft® Office 365, Dropbox™,etc. Application(s) 110 may be configured to receive, create, generate,interact with, download, upload, delete, modify, access, and/or transmitdata objects (e.g., data object 124). Examples of data objects include,but are not limited to, a data file, a database object (e.g., a table, adirectory, etc.), structured data, unstructured data, semi-structureddata, a data container, etc. Each computing device 102 may be any typeof stationary or mobile computing device, including a mobile computer ormobile computing device (e.g., a Microsoft® Surface® device, a laptopcomputer, a notebook computer, a tablet computer such as an Apple iPad™,a netbook, a smart phone etc.), a wearable computing device (e.g., ahead-mounted device including smart glasses such as Google® Glass™etc.), or a stationary computing device such as a desktop computer or PC(personal computer).

Data object manager 112 is configured to retrieve a set of conditionsmaintained centrally by management server 114. Using the set ofconditions, data object manager 112 may determine and/or associatetag(s) 116 with data object 124. After determining and/or associatingtag(s) 116 with data object 124, data object manager 112 may retrievepolicies that are associated with tag(s) 116 and perform one or moreactions (e.g., enforcement actions) in accordance with the policies. Anytype of enforcement action may be performed with respect to a dataobject. For instance, an enforcement action may include, but is notlimited to, encryption, controlling usage aspects (e.g., applyingconditional access to users with certain clearance levels based on thetag or it may identify unauthorized entitlements that are applied to adata object that are not in accordance with the tag defined on the file,where in consequence it may revoke those entitlements), etc. In furtherdetail, examples of enforcement actions include, but are not limited to,encrypting data object 124, placing restrictions on data object 124(e.g., limiting the number of users that are allowed access to dataobject 124), watermarking data object 124, moving data object 124 to aparticular location, quarantining data object 124 (e.g., moving to aquarantine folder), performing some type of modification to data object124, etc.). Each data object manager 112 associated with a particularcomputing device of computing device 102 is configured to retrieve thesame set of conditions and policies maintained by management service 114and enforce the same policies with respect to the same data object (orinstance thereof) due to the applied tag, regardless of the computingenvironment in which the particular computing device is located. Thisadvantageously enables the data object to be uniformly acted upon acrossinstances of data object manager 112. Accordingly, data objects that areclassified as being private, confidential, etc., in one computingenvironment, will also be classified as such in another computingenvironment, thereby ensuring the data object is uniformly protected inaccordance with the associated policies.

The tagging, policy determination, and enforcement actions to beperformed with respect to a data object may be enabled in various waysin embodiments. For instance, FIG. 2 is a block diagram of a system 200configured to tag a data object, determine a policy for the data object,and perform an action with respect to the data object in accordance withthe policy, according to an example embodiment. As shown in FIG. 2,system 200 includes computing device 104, server 106, and computingdevice 102. System 200 is described as follows.

As shown in FIG. 2, management service 114 may include a managementconsole 202, one or more data stores 204, and a distribution service206. As described above with reference to FIG. 1, computing device 104may access management console 202 to specify a set of conditions whichare used to classify and tag a data object, specify a set of policies,and/or associate tags with the set of policies. The set of conditionsand/or policies may be stored in data store(s) 204 (shown ascondition(s) 208 and polic(ies) 210, respectively). In particular,condition(s) 208 may be defined via user interface 128 provided bymanagement console 202. Using user interface 128, a user may be enabledto select and/or configure conditions and/or specify tags to be appliedto a data object upon the conditions being met (e.g., evaluated to betrue). The conditions may be selected from pre-defined types/categories,or alternatively, may be fully-defined by the user. The pre-definedtypes/categories may be searched for and/or filtered based on filterfactors (e.g., via an industry such as Financial, Medical and Health,Privacy, etc.). The user is further enabled to save conditions (e.g., todata store(s) 204), discard conditions, modify conditions, delete tags(and their associated conditions), etc. The set of conditions and/orpolicies stored in data store(s) 204 may be enforceable in a pluralityof different computing environments and retrievable by differentcomputing devices located in those different computing environments.

As further shown in FIG. 2, data object manager 112 of computing device104 may include a conditions retriever 214, an object tagger 216, anaction enforcer 218, and an access monitor 220. To tag a data object,data object manager 112 may receive a data object 124 provided byapplication(s) 110, and conditions retriever 214 may query distributionservice 206 for a set of conditions (e.g., condition(s) 208) which areto be evaluated with respect to the data object. Data store(s) 204provide condition(s) 208 to distribution service 206, and distributionservice 206 provides condition(s) 208 to data object manager 112. Uponreceiving condition(s) 208, object tagger 216 may analyze data object124 using condition(s) 208, automatically determine a classification fordata object 124, and determine a tag (e.g., of tag(s) 116) for dataobject 124 that correspond to the classification. Condition(s) 208 maybe used to analyze one or more properties of data object 124 (e.g., alocation of data object 124 (a directory, a particular storage devicepartition, a particular storage device, a particular storage devicecollection/network, a particular region, etc.), an ownership of dataobject 124 (e.g., a user, an administrator, an enterprise or otherentity, etc.), a content of data object 124 (e.g., textual information,a word processing document, a spreadsheet, private information, publicinformation, an audio file, a video file, etc.), metadata associatedwith data object 124, or other parameters, such as a file size or fileextension of data object 124. For instance, to determine whether a dataobject includes private information, a condition of condition(s) 208 mayevaluate whether a data object contains particular keywords (e.g.“private”, “confidential,” “social security number,” “credit cardnumber”) (and/or a particular number of occurrences thereof). If thiscondition holds true for the data object being analyzed, then objecttagger 216 may automatically create a tag representative of the privatedata (e.g., the tag may be “private,” “top secret,” “confidential”,etc.). It is noted that this example condition is merely provided fordemonstrative purposes, and that an administrator may specify any typeof condition to classify a data object.

In lieu of automatically determining tag(s) 116, the classification ofdata object 124 may be a manual process performed by a user and/oradministrator, and/or a user or administrator may be enabled to manuallyadjust an automatically determined classification.

Once data object 124 has been tagged, tag(s) 116 remain with data object124 when it is transported from one location to another (i.e., tag(s)116 persist with data object 124 regardless of the location of dataobject 124 or the computing environment in which data object 124resides).

Tag(s) 116 associated with data object 124 may be associated in anymanner, including being stored in data object 124 (e.g., in a header,footer, or body of the data object, in a property field thereof, etc.)as attributes of data object 124, or may be stored in a table or otherdata structure linked to data object 124 (e.g., the table associates anidentifier for data object 124 with tag(s) 116).

Action enforcer 218 is configured to query distribution service 210 toretrieve polic(ies) 224 that are associated with tag(s) 116. Forexample, action enforcer 218 may provide a tag identifier thatidentifies tag(s) 116 determined for data object 124 to distributionservice 206, and distribution service 206 may retrieve polic(ies) 210associated with tag(s) 116 from data store(s) 204 and provide retrievedpolic(ies) 210 to action enforcer 218. For instance, distributionservice 206 may provide a query that includes the tag identifiers todata store(s) 204, and data store(s) 204 may return polic(ies) 210 thatare associated with tag(s) 116 identified by the tag identifiers.Polic(ies) 210 may be retrieved upon application(s) 110 being launched;however, the embodiments disclosed herein are not so limited. Forexample, polic(ies) 210 may be retrieved upon application(s) 110performing a particular action (e.g., saving a file associated with dataobject 124). Action enforcer 218 may perform enforcement actions withrespect to data object 124 in accordance with retrieved polic(ies) 210.Examples of enforcement actions include, but are not limited to,encrypting data object 124, placing restrictions on data object 124(e.g., limiting the number of users that are allowed access to dataobject 124), watermarking data object 124, moving data object 124 to aparticular location, quarantining data object 124, performing some typeof modification to data object 124, etc.).

When the data object is moved to another location (e.g., to anothercomputing device on the premises of a user or company or a cloud-basedenvironment), the data object manager associated therewith may querydistribution service 206 to obtain condition(s) 208 and/or polic(ies)210 from data store(s) 204. If the data object is already tagged withtags, the data object manager may query distribution service 206 forpolic(ies) 210, but not condition(s) 208 because the data object isalready tagged.

In accordance with an embodiment, data object manager 112 isincorporated as part as application(s) 110. In accordance with anotherembodiment, data object manager 112 is a service that is communicativelycoupled to application(s) 110 via one or more application programminginterfaces.

Access monitor 220 is configured to monitor one or more accesses to dataobject 124 and transmit indications thereof. For example, each time adata object is accessed (e.g., created, opened, closed, modified,deleted, etc.), access monitor 220 detects the access, and provides anindicator to distribution service 206 that specifies the type of dataaccess performed. For instance, access monitor 220 may be configured todirectly detect the accesses, or to receive indications of the accessesfrom an operating system component involved in data object accesses.Access monitor 220 may further provide to distribution service 206 anidentifier that identifies data object 124 (e.g., a file name), a tagidentifier that identifies tag(s) 116 and/or a location of data object124 (e.g., a directory, a particular storage device partition, aparticular storage device, a particular storage devicecollection/network, a particular region, etc.). Using the indicatorsthat specify the type of data accesses performed, distribution service206 may store a record of the types of data accesses performed withrespect to data object 124 as one or more audit logs 212 in datastore(s) 204. Distribution service 206 may further associate the tagidentifiers, the identifier that identifies data object 124 and/or thelocation of data object 124 with audit log(s) 212 maintained for dataobject 124. Computing device 102 that manages data object 124 (or aninstance thereof) via a respective data object manager may provide theforegoing indicators to distribution service 206. Distribution service206 may aggregate all the types of data accesses performed with respectto data object 124 across each computing device 102 and store theaggregated data accesses in audit log(s) 212. Data store(s) 204 maymaintain audit log(s) 212 for any number of data objects maintained byany number of computing device 102 in any number of computingenvironments.

An administrator, using management console 202, may retrieve auditlog(s) 212 for a data object maintained by instances of computing device102 and advantageously track each data object in a centralized fashionregardless of where the data object is and has been located. Theadministrator may also be enabled to search for data objects (e.g., dataobject 124) based on their associated tags (e.g., tag(s) 116). Forexample, if the administrator wanted to determine where all of her/hisdata sensitive data objects are located, the administrator simply needsto search for the data objects based on a corresponding tag (e.g.,“confidential,” “top secret,” “private,” etc.). For instance, managementconsole 202 may provide a search mechanism (e.g., a search box displayedvia user interface 122) in which an administrator enters in one or moretag values (e.g., an alphanumerical string) corresponding to tagsassociated with a data object. Management service 114 may then searchdata store(s) 204 for audit log(s) 212 that are associated with the tagscorresponding to the tag values and return a location of each dataobject having the tags (e.g., a location of computing device 102 and/orthe computing environments in which the data object is located) to theuser (e.g., via user interface 122).

It is noted that while data store(s) 204 is shown in FIG. 2 as beingincluded in server 106, data store(s) 204 may located externally toserver 106 and may be communicatively coupled thereto.

Accordingly, a data object may be tagged, a policy for the tagged dataobject may be retrieved, and an action may be performed with respect tothe data object in accordance with the retrieved policy in many ways.For instance, FIG. 3 shows a flowchart 300 for a method in a data objectmanager executing on a computing device for tagging a data object,retrieving a policy for the tagged data object, and performing an actionwith respect to the data object in accordance with the retrieved policy,according to an example embodiment. Flowchart 300 is described withrespect to FIG. 4 for illustrative purposes. FIG. 4 shows a blockdiagram of a system 400 that includes a computing device 402 coupled toa server 426, according to an example embodiment. Computing device 402and server 426 are examples of computing device 102 and server 106, asrespectively described above with reference to FIGS. 1 and 2. As shownin FIG. 4, computing device 402 comprises a data object manager 412,which comprises a conditions retriever 415, an object tagger 417, anaction enforcer 418, and access monitor 420, and a data object 424.Server 426 comprises a management service 414, which comprises adistribution service 406 and one or more data store(s) 404. Data objectmanager 412, conditions retriever 415, object tagger 417, actionenforcer 418, and access monitor 420, are examples of data objectmanager 112, conditions retriever 214, object tagger 216, actionenforcer 218, and access monitor 220, as respectively described abovewith reference to FIGS. 1 and 2. Management service 414, distributionservice 406 and data store(s) 404 are examples of management service114, distribution service 206 and data store(s) 204, as respectivelydescribed above with reference to FIGS. 1 and 2. As further shown inFIG. 2, data store(s) 404 may store a set of condition(s) 408,polic(ies) 410, and/or audit log(s) 412. Set of condition(s) 408,polic(ies) 410, and audit log(s) 412 are examples of set of condition(s)208, polic(ies) 210, and audit log(s) 212, as respectively describedabove with reference to FIG. 2. In an embodiment, flowchart 300 may beperformed by data object manager 412. Flowchart 300 and system 400 aredescribed as follows.

Flowchart 300 begins with step 302. In step 302, a set of conditions isreceived from a server accessible over a network by the computingdevice. For example, with reference to FIG. 4, computing device 402receives condition(s) 408 from server 426 over a network (e.g., network108, as shown in FIG. 1). For instance, conditions retriever 415 maytransmit a query 401 to distribution service 406 of server 426. Inresponse, distribution service 406 may send query 401 to data store(s)404 to retrieve condition(s) 408. Data store(s) 404 may provide aresponse 403 including condition(s) 408 to distribution service 406,which transmits response 403 to conditions retriever 415. Conditionsretriever 415 provides condition(s) 408 to object tagger 417.

In step 304, a tag is determined for a data object stored on thecomputing device based on the set of conditions. For example, withreference to FIG. 4, object tagger 417 may determine tag(s) 422 for dataobject 424 based on condition(s) 408. For example, object tagger 417 mayapply a tag that is associated with conditions by a user using userinterface 128.

In accordance with one or more embodiments, the set of conditions isused to analyze at least one property of the data object. Any number andtype of properties of the data object may be analyzed, including alocation of the data object, an ownership of the data object, content ofthe data object, metadata associated with the data object, anapplication that accessed the data object, etc. In an embodiment, objecttagger 417 may sequence through properties of the data object, comparingthe property value of each property to condition values of theconditions, and selecting the tag based on a determined match between aproperty value and a condition value, the selected tag corresponding tothe condition having the matching condition value.

In step 306, the data object is tagged with the determined tag. Forexample, with reference to FIG. 4, object tagger 417 may tag data object424 with tag(s) 422. Tag(s) 422 are examples of tag(s) 116, as describedabove with reference to FIGS. 1 and 2.

In accordance with one or more embodiments, tagging the data objectcomprises tagging the data object with the tag by changing the dataobject to include the tag. For instance, tag(s) 422 associated with dataobject 424 may be stored in data object 424 (e.g., in a header, footer,or body of the data object, in a property field thereof, etc.) asattributes of data object 424. In another embodiment, a data object maybe tagged with a tag by storing the tag in a table, file, or other datastructure maintained in association with the data object (e.g., storedin a same folder, indicating the data object and the tag in a table asassociated, etc.).

In step 308, a policy is retrieved from the server based on the tag. Thepolicy specifies an enforcement action to be performed by the dataobject manager with respect to the data object. For example, withreference to FIG. 4, action enforcer 418 retrieves polic(ies) 410 fromserver 426. Note that same polic(ies) 410 are retrievable andenforceable by other data object managers executing on other computingdevices located in different computing environments.

In accordance with one or more embodiments. a tag identifier thatidentifies the tag is provided to the server in a policy request (Notethat the policy request may include multiple tags if the data object hasbeen tagged by multiple tags). The server is configured to determine thepolicy based on the tag identifier and provide the determined policy tothe computing device in response to the policy request. For instance,with reference to FIG. 4, action enforcer 418 may send a query 405(policy request) including tag identifiers that identify tag(s) 422 todistribution service 406 of server 426. In response, distributionservice 406 provides query 405 to data store(s) 404, and data store(s)404 provide a response 407 that includes polic(ies) 410 that areassociated with tag(s) 422 to distribution service 406. Distributionservice 406 provides response 407 to action enforcer 418.

In step 310, the specified enforcement action is performed. For example,with reference to FIG. 4, action enforcer 418 performs the specifiedenforcement action. In accordance with one or more embodiments, theenforcement action comprises at least one of encrypting the data object,placing one or more restrictions on the data object, watermarking thedata object, moving the data object to a particular location,quarantining the data object, or performing a modification to the dataobject. It is noted that action enforcer 418 may cause another entity(e.g., application(s) 110, as shown in FIGS. 1 and 2) to perform theenforcement action instead of performing the enforcement action itself.

As such, in the manner of flowchart 200, polic(ies) 410 are retrievaland enforceable by multiple data object managers executing on computingdevices (e.g., instances of computing devices 102) located in differentcomputing environments. In accordance with one or more embodiments, eachof the different computing environments comprises a computingenvironment that is on the premise of a user or company that maintainsthe computing device or a cloud-based computing environment. Byretrieving the same polic(ies) 410 to each of the computingenvironments, and enforcing the policies for data objects tagged withthe corresponding tags, a uniform application of policies is appliedacross computing environments.

In accordance with one or more embodiments, a determination is made thatan access to the data object has occurred and an identification of thedetermined access is provided to the server. For instance, withreference to FIG. 4, access monitor 420 may determine that an access todata object 424 has occurred and provide a request 409 that identifiesthe type of data object access to distribution service 406 of server426.

In accordance with one or more embodiments, an identifier of the dataobject and a tag identifier that identifies the tag of the data objectis also provided to the server. The server associates the identifier ofthe data object and the tag identifier to the identification of thedetermined access. For example, with reference to FIG. 4, request 409may further include an identifier of data object 424 and a tagidentifier that identifies tag(s) 422 of data object 424. In response,distribution service 406 creates and/or updates audit log(s) 412associated with data object 424 to include an association between theidentifier of data object 424 and/or the tag identifier with the type ofdata access that occurred (as identified by the identification of thedetermined access) with respect to computing device 402.

Management service 414 may be configured to provide policies to anynumber of computing device in many ways. For instance, FIG. 5 shows aflowchart 500 for a method implemented by a management service of aserver that is configured provide policies to a plurality of computingdevices, according to an example embodiment. In an embodiment, flowchart500 may be implemented by a management service 614 shown in FIG. 6. FIG.6 shows a block diagram of a system 600 that includes a server 626coupled to computing device 104, a computing device 602A and a computingdevice 602B, according to an example embodiment. Server 626, computingdevice 602A, and computing device 602B are examples of server 106 andcomputing device 102, as respectively described above with reference toFIGS. 1 and 2. As shown in FIG. 6, server 626 comprises managementservice 614, which comprises a management console 628, one or more datastores 604, and a distribution service 606. Computing device 602Acomprises a data object manager 612A, which comprises an action enforcer618A, an access monitor 620A, and a data object 624A. Computing device602B comprises a data object manager 612B, which comprises an actionenforcer 618B, an access monitor 620B, and a data object 624B.Management console 628, data store(s) 604, and distribution service 606are examples of management console 202, data store(s) 204, anddistribution service 204, as described above with respect to FIG. 2.Data object managers 612A and 612B, action enforcer 618A and 618B, andaccess monitor 420A and 420B, are examples of data object manager 112,action enforcer 218, and access monitor 220, as respectively describedabove with reference to FIGS. 1 and 2. As further shown in FIG. 6, datastore(s) 604 may store a set of condition(s) 608, polic(ies) 610, and/oraudit log(s) 616. Set of condition(s) 608, polic(ies) 610, and auditlog(s) 616 are examples of set of condition(s) 208, polic(ies) 210, andaudit log(s) 212, as respectively described above with reference to FIG.2.

Flowchart 500 and system 600 are described as follows, in particularillustrating how uniform application of policies to data objects acrossdifferent computing environments is enabled by application of uniformtags to the data objects, according to embodiments.

Flowchart 500 begins with step 502. In step 502, a first query for apolicy specifying an enforcement action to be performed by a firstinstance of a data object manager executing on a first computing devicewith respect to a first instance of a data object is received. The firstquery is received from the first computing device, which stores thefirst instance of the data object, and is accessible over a network bythe server. The first query comprises a first tag identifier thatidentifies a tag associated with the first instance of the data object.For example, with reference to FIG. 6, distribution service 606 receivesa first query 601 from action enforcer 618A of computing device 602A.First query 601 is for a policy (e.g., polic(ies) 610) that specify anenforcement action to be performed by data object manager 612A withrespect to data object 624A. First query 601 may comprise a tagidentifier that identifies tag(s) 622A associated with data object 624A.

In step 504, the policy to be provided to the first computing device isdetermined based on the first tag identifier, and the determined policyis provided to the first computing device. The policy is enforceable bythe first instance of the data object manager. For example, withreference to FIG. 6, distribution service 606 provides first query 601to data store(s) 604. Data store(s) 604 use the tag identifier includedin first query 601 to search for polic(ies) 610 that are associated withthe tags specified by the tag identifier and provides a response 603that includes the matching polic(ies) 610 to distribution service 606.Distribution service 606 provides response 603 to action enforcer 618A.

In step 506, a second query for a policy specifying an enforcementaction to be performed by a second instance of a data object managerexecuting on the second computing device with respect to a secondinstance of a data object is received. The second query is received fromthe second computing device, which stores the second instance of thedata object, and is accessible over a network by the server. The secondquery comprises a second tag identifier that identifies a tag associatedwith the second instance of the data object. The second tag identifieris the same as the first tag identifier. For example, with reference toFIG. 6, distribution service 606 receives a second query 605 from actionenforcer 618B of computing device 602B. Second query 605 is for a policy(e.g., polic(ies) 610) that specify an enforcement action to beperformed by data object manager 612B with respect to data object 624B.Second query 605 may comprise a tag identifier that identifies tag(s)622B associated with data object 624B. First computing device 602A andsecond computing device 602B use the same classification scheme todetermine tags for their respective data object (i.e., data object 624Aand 624B, which are two instances of the same data object). Therefore,each of data object 624A and data object 624B are classified with thesame tags (i.e., tag(s) 622A and 622B are the same).

In step 508, a policy to be provided to the second computing device isdetermined based on the second tag identifier, and the determined policyis provided to the second computing device. The policy is enforceable bythe second instance of the data object manager and is the same policyprovided to the first computing device. For example, with reference toFIG. 6, distribution service 606 provides second query 605 to datastore(s) 604. Data store(s) 604 use the tag identifier included insecond query 605 to search for polic(ies) 610 that are associated withthe tags specified by the tag identifier and provides a response 607that includes the matching polic(ies) 610 to distribution service 606.Distribution service 606 provides response 607 to action enforcer 618B.Because data object 624B is the same as data object 624A, and are taggedby the same tag, action enforcer 618B of data object manager 612Breceives the same policy as action enforcer 618A of data object manager612A.

In accordance with one or more embodiments, server 626 is in a firstcomputing environment and at least one of computing device 602A orsecond computing device 602B is in a second computing environment.

In accordance with one or more embodiments, the distribution service isfurther configured to receive, from the first computing device, a firstidentification of an access to the first instance of the data object viafirst computing device, receive, from the second computing device, asecond identification of an access to the second instance of the dataobject via the second computing device, and store the firstidentification and the second identification in a data store coupled tothe server. For example, with reference to FIG. 6, distribution service606 may receive a first identification 609A that identifies access(es)to data object 624A from computing device 602A and may receive a firstidentification 609B that identifies access(es) to data object 624B fromcomputing device 602B. Distribution service 606 may store firstidentification 609A and second identification 609B in data store(s) 604as audit log(s) 616. An audit log of audit log(s) 616 may log/storeaccess information in any manner, including in a table, array, list orany other data structure. For each log entry, the audit log may includeany combination of access information, including one or more of anidentifier for the data object, an identifier for the computing devicemaking the access to the data object, an identifier for the data objectmanager reporting the access of the data object, a date/time of the dataaccess to the data object, a type of access to the data object (e.g.,read, write, modify, etc.), etc.

In accordance with one or more embodiments, a management console isconfigured to access the data store to provide an aggregated view of theaccesses performed on the first instance and the second instance of thedata object via the first computing device and the second computingdevice, the aggregated view being provided via a graphical userinterface. For example, with reference to FIG. 6, management console 328may access audit log(s) 616 stored in data store(s) 604 and provides anaggregated view of the accesses performed on data object 624A and dataobject 624B via user interface 128.

In accordance with one or more embodiments, a management console isconfigured to provide a graphical user interface that enables a user tospecify a set of conditions that are used by at least one of the firstinstance of the data object manager to analyze at least one property ofthe first instance of the data object or the second instance of the dataobject manager to analyze at least one property of the second instanceof the data object, the tag associated with the first instance of thedata object being determined based on the analysis of the at least oneproperty of the first instance of the data object, the tag associatedwith the second instance of the data object being determined based onthe analysis of the at least one property of the second instance of thedata object. For example, with reference to FIG. 6, management console628 is configured to provide user interface 128 that enables a user tospecify condition(s) 608 that are used by data object manager 612A toanalyze at least one property of data object 624A or used by data objectmanager 612B to analyze at least one property of data object 624B.Tag(s) 622A associated with data object 624A are determined based on theanalysis of the at least one property of data object 624A, and tag(s)622B associated with data object 624B are determined based on theanalysis of the at least one property of data object 624B.

III. Example Mobile and Stationary Device Embodiments

The systems described above, including the classification, policydetermination, and data protection embodiments described in reference toFIGS. 1-6, may be implemented in hardware, or hardware combined with oneor both of software and/or firmware. For example, management service114, management service 414, management service 614, data object manager112, data object manager 412, data object manager 612A, data manager612B, and/or each of the components described therein, and flowchart 300and/or flowchart 500 be each implemented as computer programcode/instructions configured to be executed in one or more processorsand stored in a computer readable storage medium. Alternatively,management service 114, management service 414, management service 614,data object manager 112, data object manager 412, data object manager612A, data manager 612B, and/or each of the components describedtherein, and flowchart 300 and/or flowchart 500 may be implemented ashardware logic/electrical circuitry. In an embodiment, managementservice 114, management service 414, management service 614, data objectmanager 112, data object manager 412, data object manager 612A, datamanager 612B, and/or each of the components described therein, andflowchart 300 and/or flowchart 500 may be implemented in one or moreSoCs (system on chip). An SoC may include an integrated circuit chipthat includes one or more of a processor (e.g., a central processingunit (CPU), microcontroller, microprocessor, digital signal processor(DSP), etc.), memory, one or more communication interfaces, and/orfurther circuits, and may optionally execute received program codeand/or include embedded firmware to perform functions.

FIG. 7 shows a block diagram of an exemplary mobile device 700 includinga variety of optional hardware and software components, shown generallyas components 702. Any number and combination of the features/elementsof management service 114, management service 414, management service614, data object manager 112, data object manager 412, data objectmanager 612A, data manager 612B, and/or each of the components describedtherein, and flowchart 300 and/or flowchart 500 may be implemented ascomponents 702 included in a mobile device embodiment, as well asadditional and/or alternative features/elements, as would be known topersons skilled in the relevant art(s). It is noted that any ofcomponents 702 can communicate with any other of components 702,although not all connections are shown, for ease of illustration. Mobiledevice 700 can be any of a variety of mobile devices described ormentioned elsewhere herein or otherwise known (e.g., cell phone,smartphone, handheld computer, Personal Digital Assistant (PDA), etc.)and can allow wireless two-way communications with one or more mobiledevices over one or more communications networks 704, such as a cellularor satellite network, or with a local area or wide area network.

The illustrated mobile device 700 can include a controller or processorreferred to as processor circuit 710 for performing such tasks as signalcoding, image processing, data processing, input/output processing,power control, and/or other functions. Processor circuit 710 is anelectrical and/or optical circuit implemented in one or more physicalhardware electrical circuit device elements and/or integrated circuitdevices (semiconductor material chips or dies) as a central processingunit (CPU), a microcontroller, a microprocessor, and/or other physicalhardware processor circuit. Processor circuit 710 may execute programcode stored in a computer readable medium, such as program code of oneor more applications 714, operating system 712, any program code storedin memory 720, etc. Operating system 712 can control the allocation andusage of the components 702 and support for one or more applicationprograms 714 (a.k.a. applications, “apps”, etc.). Application programs714 can include common mobile computing applications (e.g., emailapplications, calendars, contact managers, web browsers, messagingapplications) and any other computing applications (e.g., wordprocessing applications, mapping applications, media playerapplications).

As illustrated, mobile device 700 can include memory 720. Memory 720 caninclude non-removable memory 722 and/or removable memory 724. Thenon-removable memory 722 can include RAM, ROM, flash memory, a harddisk, or other well-known memory storage technologies. The removablememory 724 can include flash memory or a Subscriber Identity Module(SIM) card, which is well known in GSM communication systems, or otherwell-known memory storage technologies, such as “smart cards.” Thememory 720 can be used for storing data and/or code for running theoperating system 712 and the applications 714. Example data can includeweb pages, text, images, sound files, video data, or other data sets tobe sent to and/or received from one or more network servers or otherdevices via one or more wired or wireless networks. Memory 720 can beused to store a subscriber identifier, such as an International MobileSubscriber Identity (IMSI), and an equipment identifier, such as anInternational Mobile Equipment Identifier (IMEI). Such identifiers canbe transmitted to a network server to identify users and equipment.

A number of programs may be stored in memory 720. These programs includeoperating system 712, one or more application programs 714, and otherprogram modules and program data. Examples of such application programsor program modules may include, for example, computer program logic(e.g., computer program code or instructions) for implementing thesystems described above, including the classification, policydetermination, and data protection embodiments described in reference toFIGS. 1-6.

Mobile device 700 can support one or more input devices 730, such as atouch screen 732, microphone 734, camera 736, physical keyboard 738and/or trackball 740 and one or more output devices 750, such as aspeaker 752 and a display 754.

Other possible output devices (not shown) can include piezoelectric orother haptic output devices. Some devices can serve more than oneinput/output function. For example, touch screen 732 and display 754 canbe combined in a single input/output device. The input devices 730 caninclude a Natural User Interface (NUI).

Wireless modem(s) 760 can be coupled to antenna(s) (not shown) and cansupport two-way communications between processor circuit 710 andexternal devices, as is well understood in the art. The modem(s) 760 areshown generically and can include a cellular modem 766 for communicatingwith the mobile communication network 704 and/or other radio-basedmodems (e.g., Bluetooth 764 and/or Wi-Fi 762). Cellular modem 766 may beconfigured to enable phone calls (and optionally transmit data)according to any suitable communication standard or technology, such asGSM, 3G, 4G, 5G, etc. At least one of the wireless modem(s) 760 istypically configured for communication with one or more cellularnetworks, such as a GSM network for data and voice communications withina single cellular network, between cellular networks, or between themobile device and a public switched telephone network (PSTN).

Mobile device 700 can further include at least one input/output port780, a power supply 782, a satellite navigation system receiver 784,such as a Global Positioning System (GPS) receiver, an accelerometer786, and/or a physical connector 790, which can be a USB port, IEEE 1394(FireWire) port, and/or RS-232 port. The illustrated components 702 arenot required or all-inclusive, as any components can be not present andother components can be additionally present as would be recognized byone skilled in the art.

Furthermore, FIG. 8 depicts an exemplary implementation of a computingdevice 800 in which embodiments may be implemented, including managementservice 114, management service 414, management service 614, data objectmanager 112, data object manager 412, data object manager 612A, datamanager 612B, and/or each of the components described therein, andflowchart 300 and/or flowchart 500. The description of computing device800 provided herein is provided for purposes of illustration, and is notintended to be limiting. Embodiments may be implemented in further typesof computer systems, as would be known to persons skilled in therelevant art(s).

As shown in FIG. 8, computing device 800 includes one or moreprocessors, referred to as processor circuit 802, a system memory 804,and a bus 806 that couples various system components including systemmemory 804 to processor circuit 802. Processor circuit 802 is anelectrical and/or optical circuit implemented in one or more physicalhardware electrical circuit device elements and/or integrated circuitdevices (semiconductor material chips or dies) as a central processingunit (CPU), a microcontroller, a microprocessor, and/or other physicalhardware processor circuit. Processor circuit 802 may execute programcode stored in a computer readable medium, such as program code ofoperating system 830, application programs 832, other programs 834, etc.Bus 806 represents one or more of any of several types of busstructures, including a memory bus or memory controller, a peripheralbus, an accelerated graphics port, and a processor or local bus usingany of a variety of bus architectures. System memory 804 includes readonly memory (ROM) 808 and random access memory (RAM) 810. A basicinput/output system 812 (BIOS) is stored in ROM 808.

Computing device 800 also has one or more of the following drives: ahard disk drive 814 for reading from and writing to a hard disk, amagnetic disk drive 816 for reading from or writing to a removablemagnetic disk 818, and an optical disk drive 820 for reading from orwriting to a removable optical disk 822 such as a CD ROM, DVD ROM, orother optical media. Hard disk drive 814, magnetic disk drive 816, andoptical disk drive 820 are connected to bus 806 by a hard disk driveinterface 824, a magnetic disk drive interface 826, and an optical driveinterface 828, respectively. The drives and their associatedcomputer-readable media provide nonvolatile storage of computer-readableinstructions, data structures, program modules and other data for thecomputer. Although a hard disk, a removable magnetic disk and aremovable optical disk are described, other types of hardware-basedcomputer-readable storage media can be used to store data, such as flashmemory cards, digital video disks, RAMs, ROMs, and other hardwarestorage media.

A number of program modules may be stored on the hard disk, magneticdisk, optical disk, ROM, or RAM. These programs include operating system830, one or more application programs 832, other programs 834, andprogram data 836. Application programs 832 or other programs 834 mayinclude, for example, computer program logic (e.g., computer programcode or instructions) for implementing the systems described above,including the classification, policy determination, and data protectionembodiments described in reference to FIGS. 1-6.

A user may enter commands and information into the computing device 800through input devices such as keyboard 838 and pointing device 840.Other input devices (not shown) may include a microphone, joystick, gamepad, satellite dish, scanner, a touch screen and/or touch pad, a voicerecognition system to receive voice input, a gesture recognition systemto receive gesture input, or the like. These and other input devices areoften connected to processor circuit 802 through a serial port interface842 that is coupled to bus 806, but may be connected by otherinterfaces, such as a parallel port, game port, or a universal serialbus (USB).

A display screen 844 is also connected to bus 806 via an interface, suchas a video adapter 846. Display screen 844 may be external to, orincorporated in computing device 800. Display screen 844 may displayinformation, as well as being a user interface for receiving usercommands and/or other information (e.g., by touch, finger gestures,virtual keyboard, etc.). In addition to display screen 844, computingdevice 800 may include other peripheral output devices (not shown) suchas speakers and printers.

Computing device 800 is connected to a network 848 (e.g., the Internet)through an adaptor or network interface 850, a modem 852, or other meansfor establishing communications over the network. Modem 852, which maybe internal or external, may be connected to bus 806 via serial portinterface 842, as shown in FIG. 8, or may be connected to bus 806 usinganother interface type, including a parallel interface.

As used herein, the terms “computer program medium,” “computer-readablemedium,” and “computer-readable storage medium” are used to generallyrefer to physical hardware media such as the hard disk associated withhard disk drive 814, removable magnetic disk 818, removable optical disk822, other physical hardware media such as RAMs, ROMs, flash memorycards, digital video disks, zip disks, MEMs, nanotechnology-basedstorage devices, and further types of physical/tangible hardware storagemedia (including system memory 804 of FIG. 8). Such computer-readablestorage media are distinguished from and non-overlapping withcommunication media (do not include communication media). Communicationmedia typically embodies computer-readable instructions, datastructures, program modules or other data in a modulated data signalsuch as a carrier wave. The term “modulated data signal” means a signalthat has one or more of its characteristics set or changed in such amanner as to encode information in the signal. By way of example, andnot limitation, communication media includes wireless media such asacoustic, RF, infrared and other wireless media, as well as wired media.Embodiments are also directed to such communication media.

As noted above, computer programs and modules (including applicationprograms 832 and other programs 834) may be stored on the hard disk,magnetic disk, optical disk, ROM, RAM, or other hardware storage medium.Such computer programs may also be received via network interface 850,serial port interface 852, or any other interface type. Such computerprograms, when executed or loaded by an application, enable computingdevice 800 to implement features of embodiments discussed herein.Accordingly, such computer programs represent controllers of thecomputing device 800.

Embodiments are also directed to computer program products comprisingcomputer code or instructions stored on any computer-readable medium.Such computer program products include hard disk drives, optical diskdrives, memory device packages, portable memory sticks, memory cards,and other types of physical storage hardware.

IV. Additional Exemplary Embodiments

Embodiments are also directed to computer program products comprisingcomputer code or instructions stored on any computer-readable medium.Such computer program products include hard disk drives, optical diskdrives, memory device packages, portable memory sticks, memory cards,and other types of physical storage hardware.

A method in a data object manager executing on a computing device isdescribed herein. The method includes: retrieving a set of conditionsfrom a server accessible over a network by the computing device;determining a tag for a data object stored on the computing device basedon the set of conditions; tagging the data object with the determinedtag; retrieving a policy from the server based on the tag, the policyspecifying an enforcement action to be performed by the data objectmanager with respect to the data object, the same policy beingretrievable and enforceable by other data object managers executing onother computing devices located in different computing environments; andperforming the specified enforcement action.

In one embodiment of the foregoing method, the enforcement actioncomprises at least one of: encrypting the data object; placing one ormore restrictions on the data object; watermarking the data object;moving the data object to a particular location; quarantining the dataobject; or performing a modification to the data object.

In another embodiment of the foregoing method, the set of conditions isused to analyze at least one property of the data object, the at leastone property comprising: a location of the data object; an ownership ofthe data object; content of the data object; metadata associated withthe data object; or an application that accessed the data object.

In a further embodiment of the foregoing method, retrieving the policycomprises: providing a tag identifier that identifies the tag to theserver, the server configured to determine the policy based on the tagidentifier and provide the determined policy to the computing device.

In yet another embodiment of the foregoing method, each of the differentcomputing environments comprises: a computing environment that is on thepremise of a user or company that maintains the computing device; or acloud-based computing environment.

In still another embodiment of the foregoing method, the method furtherincludes: determining that an access to the data object has occurred;and providing an identification of the determined access to the server.

In yet another embodiment of the foregoing method, the method furtherincludes: providing an identifier of the data object and a tagidentifier that identifies the tag of the data object to the server, theserver associating the identifier of the data object and the tagidentifier to the identification of the determined access.

In still another embodiment of the foregoing method, tagging the dataobject comprises: tagging the data object with the tag by changing thedata object to include the tag.

A computer-readable storage medium having program instructions recordedthereon for a data object manager that, when executed by at least oneprocessor, perform a method on a computing device is also describedherein. The method includes retrieving a set of conditions from acloud-based server remotely located from the computing device;determining a tag for the data object based on the set of conditions;tagging the data object with the determined tag; retrieving a policyfrom the cloud-based server based on the tag, the policy specifying anenforcement action to be performed by the data object manager withrespect to the data object, the same policy being retrievable andenforceable by other data object managers executing on other computingdevices located in different computing environments; and performing thespecified enforcement action.

In an embodiment of the foregoing computer-readable storage medium, theenforcement action comprises at least one of: encrypting the dataobject; placing one or more restrictions on the data object;watermarking the data object; moving the data object to a particularlocation; quarantining the data object; or performing a modification tothe data object.

In another embodiment of the foregoing computer-readable storage medium,the set of conditions is used to analyze at least one property of thedata object, the at least one property comprising: a location of thedata object; an ownership of the data object; content of the dataobject; metadata associated with the data object; or an application thataccessed the data object.

In a further embodiment of the foregoing computer-readable storagemedium, retrieving the policy comprises: providing a tag identifier thatidentifies the tag to the server, the server configured to determine thepolicy based on the tag identifier and provide the determined policy tothe computing device.

In yet another embodiment of the foregoing computer-readable storagemedium, the method further includes: determining that an access to thedata object has occurred; and providing an identification of thedetermined access to the server.

In still another embodiment of the foregoing computer-readable storagemedium, the method further includes: providing an identifier of the dataobject and a tag identifier that identifies the tag of the data objectto the server, the server associating the identifier of the data objectand the tag identifier to the identification of the determined access.

In yet another embodiment of the foregoing method, tagging the dataobject comprises: tagging the data object with the tag by changing thedata object to include the tag.

A server is further described herein. The server includes at least oneprocessor circuit and at least one memory that stores program codeconfigured to be executed by the at least one processor circuit. Theprogram code includes a distribution service configured to: receive,from a first computing device storing a first instance of a data objectand that is accessible over a network by the server, a first query for apolicy specifying an enforcement action to be performed by a firstinstance of a data object manager executing on the first computingdevice with respect to the first instance of the data object, the firstquery comprising a first tag identifier that identifies a tag associatedwith the first instance of the data object; determine the policy to beprovided to the first computing device based on the first tag identifierand provide the determined policy to the first computing device, thepolicy being enforceable by the first instance of the data objectmanager; receive, from a second computing device storing a secondinstance of the data object and that is accessible over a network by theserver, a second query for a policy specifying an enforcement action tobe performed by a second instance of the data object manager executingon the second computing device with respect to the second instance ofthe data object, the second query comprising a second tag identifierthat identifies the tag associated with the second instance of the dataobject, the second tag identifier being the same as the first tagidentifier; and determine a policy to be provided to the secondcomputing device based on the second tag identifier and provide thedetermined policy to the second computing device, the policy provided tothe second computing device being enforceable by the second instance ofthe data object manager and being the same as the policy provided to thefirst computing device.

In an embodiment of the server, the distribution service furtherconfigured to: receive, from the first computing device, a firstidentification of an access to the first instance of the data object viafirst computing device; receive, from the second computing device, asecond identification of an access to the second instance of the dataobject via the second computing device; store the first identificationand the second identification in a data store coupled to the server.

In another embodiment of the server, the program code further comprises:a management console configured to access the data store to provide anaggregated view of the accesses performed on the first instance and thesecond instance of the data object via the first computing device andthe second computing device, the aggregated view being provided via agraphical user interface.

In yet another embodiment of the server, the program code furthercomprises: a management console configured to provide a graphical userinterface that enables a user to specify a set of conditions that areused by at least one of the first instance of the data object manager toanalyze at least one property of the first instance of the data objector the second instance of the data object manager to analyze at leastone property of the second instance of the data object, the tagassociated with the first instance of the data object being determinedbased on the analysis of the at least one property of the first instanceof the data object, the tag associated with the second instance of thedata object being determined based on the analysis of the at least oneproperty of the second instance of the data object.

In still another embodiment of the server, the server is in a firstcomputing environment and at least one of the first computing device orthe second computing device is in a second computing environment.

IV. Conclusion

While various embodiments of the present invention have been describedabove, it should be understood that they have been presented by way ofexample only, and not limitation. It will be understood by those skilledin the relevant art(s) that various changes in form and details may bemade therein without departing from the spirit and scope of theinvention as defined in the appended claims. Accordingly, the breadthand scope of the present invention should not be limited by any of theabove-described exemplary embodiments, but should be defined only inaccordance with the following claims and their equivalents.

What is claimed is:
 1. A server, comprising: at least one processorcircuit; and at least one memory that stores program code configured tobe executed by the at least one processor circuit, the program codecomprising: a distribution service configured to: receive, from a firstcomputing device storing a first instance of a data object and that isaccessible over a network by the server, a first query for a policyspecifying an enforcement action to be performed by a first instance ofa data object manager executing on the first computing device withrespect to the first instance of the data object, the first querycomprising a first tag identifier that identifies a tag associated withthe first instance of the data object; determine the policy to beprovided to the first computing device based on the first tag identifierand provide the determined policy to the first computing device, thepolicy being enforceable by the first instance of the data objectmanager; receive, from a second computing device storing a secondinstance of the data object and that is accessible over a network by theserver, a second query for a policy specifying an enforcement action tobe performed by a second instance of the data object manager executingon the second computing device with respect to the second instance ofthe data object, the second query comprising a second tag identifierthat identifies the tag associated with the second instance of the dataobject, the second tag identifier being the same as the first tagidentifier; and determine a policy to be provided to the secondcomputing device based on the second tag identifier and provide thedetermined policy to the second computing device, the policy provided tothe second computing device being enforceable by the second instance ofthe data object manager and being the same as the policy provided to thefirst computing device.
 2. The server of claim 1, the distributionservice further configured to: receive, from the first computing device,a first identification of an access to the first instance of the dataobject via first computing device; receive, from the second computingdevice, a second identification of an access to the second instance ofthe data object via the second computing device; and store the firstidentification and the second identification in a data store coupled tothe server.
 3. The server of claim 2, the program code furthercomprising: a management console configured to access the data store toprovide an aggregated view of the accesses performed on the firstinstance and the second instance of the data object via the firstcomputing device and the second computing device, the aggregated viewbeing provided via a graphical user interface.
 4. The server of claim 1,the program code further comprising: a management console configured toprovide a graphical user interface that enables a user to specify a setof conditions that are used by at least one of the first instance of thedata object manager to analyze at least one property of the firstinstance of the data object or the second instance of the data objectmanager to analyze at least one property of the second instance of thedata object, the tag associated with the first instance of the dataobject being determined based on the analysis of the at least oneproperty of the first instance of the data object, the tag associatedwith the second instance of the data object being determined based onthe analysis of the at least one property of the second instance of thedata object.
 5. The server of claim 4, wherein the graphical userinterface is further configured to enable a search for the firstinstance of the data object and the second instance of the data objectbased on the tag associated with the first instance of the data objectand the second instance of the data object.
 6. The server of claim 4,wherein the at least one property of the first instance of the dataobject or the second instance of the data object comprises at least oneof: a location of the first instance of the data object or the secondinstance of the data object; an ownership of the first instance of thedata object or the second instance of the data object; content of thefirst instance of the data object or the second instance of the dataobject; metadata associated with the first instance of the data objector the second instance of the data object; or an application thataccessed the first instance of the data object or the second instance ofthe data object.
 7. The server of claim 1, wherein the server is in afirst computing environment and at least one of the first computingdevice or the second computing device is in a second computingenvironment.
 8. A method implemented by a server, comprising: receiving,from a first computing device storing a first instance of a data objectand that is accessible over a network by the server, a first query for apolicy specifying an enforcement action to be performed by a firstinstance of a data object manager executing on the first computingdevice with respect to the first instance of the data object, the firstquery comprising a first tag identifier that identifies a tag associatedwith the first instance of the data object; determining the policy to beprovided to the first computing device based on the first tag identifierand provide the determined policy to the first computing device, thepolicy being enforceable by the first instance of the data objectmanager; receiving, from a second computing device storing a secondinstance of the data object and that is accessible over a network by theserver, a second query for a policy specifying an enforcement action tobe performed by a second instance of the data object manager executingon the second computing device with respect to the second instance ofthe data object, the second query comprising a second tag identifierthat identifies the tag associated with the second instance of the dataobject, the second tag identifier being the same as the first tagidentifier; and determining a policy to be provided to the secondcomputing device based on the second tag identifier and provide thedetermined policy to the second computing device, the policy provided tothe second computing device being enforceable by the second instance ofthe data object manager and being the same as the policy provided to thefirst computing device.
 9. The method of claim 8, further comprising:receiving, from the first computing device, a first identification of anaccess to the first instance of the data object via first computingdevice; receiving, from the second computing device, a secondidentification of an access to the second instance of the data objectvia the second computing device; and storing the first identificationand the second identification in a data store coupled to the server. 10.The method of claim 9, further comprising: accessing the data store toprovide an aggregated view of the accesses performed on the firstinstance and the second instance of the data object via the firstcomputing device and the second computing device, the aggregated viewbeing provided via a graphical user interface.
 11. The method of claim8, further comprising: providing a graphical user interface that enablesa user to specify a set of conditions that are used by at least one ofthe first instance of the data object manager to analyze at least oneproperty of the first instance of the data object or the second instanceof the data object manager to analyze at least one property of thesecond instance of the data object, the tag associated with the firstinstance of the data object being determined based on the analysis ofthe at least one property of the first instance of the data object, thetag associated with the second instance of the data object beingdetermined based on the analysis of the at least one property of thesecond instance of the data object.
 12. The method of claim 11, whereinthe graphical user interface is further configured to enable a searchfor the first instance of the data object and the second instance of thedata object based on the tag associated with the first instance of thedata object and the second instance of the data object.
 13. The methodof claim 11, wherein the at least one property of the first instance ofthe data object or the second instance of the data object comprises atleast one of: a location of the first instance of the data object or thesecond instance of the data object; an ownership of the first instanceof the data object or the second instance of the data object; content ofthe first instance of the data object or the second instance of the dataobject; metadata associated with the first instance of the data objector the second instance of the data object; or an application thataccessed the first instance of the data object or the second instance ofthe data object.
 14. The method of claim 8, wherein the server is in afirst computing environment and at least one of the first computingdevice or the second computing device is in a second computingenvironment.
 15. A computer-readable storage medium having programinstructions recorded thereon that, when executed by at least oneprocessor, perform a method on a server, the method comprising:receiving, from a first computing device storing a first instance of adata object and that is accessible over a network by the server, a firstquery for a policy specifying an enforcement action to be performed by afirst instance of a data object manager executing on the first computingdevice with respect to the first instance of the data object, the firstquery comprising a first tag identifier that identifies a tag associatedwith the first instance of the data object; determining the policy to beprovided to the first computing device based on the first tag identifierand provide the determined policy to the first computing device, thepolicy being enforceable by the first instance of the data objectmanager; receiving, from a second computing device storing a secondinstance of the data object and that is accessible over a network by theserver, a second query for a policy specifying an enforcement action tobe performed by a second instance of the data object manager executingon the second computing device with respect to the second instance ofthe data object, the second query comprising a second tag identifierthat identifies the tag associated with the second instance of the dataobject, the second tag identifier being the same as the first tagidentifier; and determining a policy to be provided to the secondcomputing device based on the second tag identifier and provide thedetermined policy to the second computing device, the policy provided tothe second computing device being enforceable by the second instance ofthe data object manager and being the same as the policy provided to thefirst computing device.
 16. The computer-readable storage medium ofclaim 15, the method further comprising: receiving, from the firstcomputing device, a first identification of an access to the firstinstance of the data object via first computing device; receiving, fromthe second computing device, a second identification of an access to thesecond instance of the data object via the second computing device; andstoring the first identification and the second identification in a datastore coupled to the server.
 17. The computer-readable storage medium ofclaim 16, the method further comprising: accessing the data store toprovide an aggregated view of the accesses performed on the firstinstance and the second instance of the data object via the firstcomputing device and the second computing device, the aggregated viewbeing provided via a graphical user interface.
 18. The computer-readablestorage medium of claim 15, the method further comprising: providing agraphical user interface that enables a user to specify a set ofconditions that are used by at least one of the first instance of thedata object manager to analyze at least one property of the firstinstance of the data object or the second instance of the data objectmanager to analyze at least one property of the second instance of thedata object, the tag associated with the first instance of the dataobject being determined based on the analysis of the at least oneproperty of the first instance of the data object, the tag associatedwith the second instance of the data object being determined based onthe analysis of the at least one property of the second instance of thedata object.
 19. The computer-readable storage medium of claim 18,wherein the graphical user interface is further configured to enable asearch for the first instance of the data object and the second instanceof the data object based on the tag associated with the first instanceof the data object and the second instance of the data object.
 20. Thecomputer-readable storage medium of claim 18, wherein the at least oneproperty of the first instance of the data object or the second instanceof the data object comprises at least one of: a location of the firstinstance of the data object or the second instance of the data object;an ownership of the first instance of the data object or the secondinstance of the data object; content of the first instance of the dataobject or the second instance of the data object; metadata associatedwith the first instance of the data object or the second instance of thedata object; or an application that accessed the first instance of thedata object or the second instance of the data object.